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ABSTRACT 


The  use  of  a  password  as  the  only  traditional  user  authentication 
mechanism  has  been  criticized  for  its  weakness  in  computer  security.  One 
problem  is  for  the  user  to  select  short,  easy  to  remember  passwords.  Another 
problem  is  the  selection  of  a  password  that  is  too  long  which  the  user  tends  to 
forget.  Long  passwords  tend  to  be  written  down  carelessly  somewhere  in  the  work 
space.  Such  practices  can  create  serious  security  loopholes. 

Consequently,  this  is  a  survey  of  alternative  password  mechanisms  and 
other  improved  devices  that  are  now  available  in  the  marketplace  to  enhance 
computer  security.  It  taxonomizes  the  existing  inventory  of  user  authentication 
mechanisms  such  as  biometrics,  challenge/response,  password,  smart  card  and 
token. 
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1.  INTRODUCTION 


A.  COMPUTER  SECURITY 

When  one  discusses  computer  security  issues,  there  are  fom  areas  that  are  equally 
important  in  the  computer  security  field:  memory  protection,  file  protection,  general 
object  access  control,  and  user  authentication.  (Pfleeger,  1989) 

Memory  protection  is  important  for  multi-user  environments  today  and 
increasingly  important  for  the  future.  This  is  due  to  the  increase  in  networking  such  as 
LAN  and  WAN.  Advances  in  memory  protection  include  mechanisms  such  as  fences, 
base/bounds  registers,  tagged  architecture,  paging,  and  segmentation  which  are  useful  for 
machine  addressing  and  protection.  (Pfleeger,  1989) 

File  protection  schemes  include  general-purpose  operating  systems  which  are  often 
based  on  a  three-or  four-level  format  (for  example:  user-group-all).  This  format  is 
reasonably  straightforward  to  implement,  but  it  restricts  access  control  to  fewer  levels. 

Access  control  is  addressed  by  the  access  control  matrix  or  access  control  lists 
organized  on  a  per-object  or  per-user  basis.  It  is  flexible  to  use  but  the  mechanism  can  be 
difficult  to  implement  efficiently. 

User  authentication  is  an  issue  that  becomes  more  important  as  unacquainted  users 
seek  to  share  facihties  through  networks. 

This  study  surveys  the  known  techniques,  practices  and  mechanisms  of  user 
authentication.  It  orders  these  in  a  taxonomy  of  methods,  including  passwords  and 
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authentication  mechanisms  such  as  token,  smart  cards  and  bio-technical  devices  (such  as 
retina  scans  and  finger  prints).  The  resulting  inventory,  will  be  of  value  to  computer 
security  analysts,  computer  security  managers  and  designers  of  operating  systems.  This 
paper  wUl  also  attempt  to  tie  in  the  NCSC  Orange  book  and  its  demands  for 
authentication  mechanisms.  Commercial  packages  to  enhance  user  authentication  vtill  be 
reviewed  as  weU. 

B.  ISSUES 

With  recent  news  coverage  docmnenting  the  activities  of  hackers,  the  Department 
of  Defense  has  impetus  to  strengthen  authentication  of  the  users  of  its  information 
systems.  (Littman,  1996;  Schorow,  1996;  Alexander,  1995;  Baig,  1994;  Borowsky,  1994; 
GAO  testimony,  1991).  For  most  computer  systems,  password  protection  represents  the 
first  line  of  defense  against  an  intruder.  Typically,  each  user  must  enter  a  user  name  and 
password  to  gain  access  to  the  system.  But  password  protection  is  notoriously  fallible 
due  to  such  reasons  as  users  tending  to  select  not  only  easy  to  remember  passwords  but 
also  writing  them  down  where  they  can  be  seen.  For  these  reasons,  numerous 
technological  refinements  have  been  created  to  strengthen  the  authenticity  of  passwords. 
Just  as  security  administration  should  be  easy  for  administrators,  so  too  should  security 
be  easy,  simple  and  unobtrusive  for  end-users.  That  is  an  end-user  shouldn’t  be  aware 
that  any  extra  security  safeguards  are  in  effect.  If  users  perceive  security  as  requiring 
additional  effort  on  their  part  they  may  look  for  ways  to  get  around  it. 
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Unauthorized  intrusions  into  Department  Of  Defense  (DoD)  computer  systems 
was  reported  by  the  Government  Accounting  Office  (GAO)  during  its  testimony  on 
computer  security  before  the  United  States  Senate.  This  testimony  reported  hacker 
intrusions  into  DoD  unclassified  sensitive  computer  systems  during  Operation  Desert 
Storm/Shield.  Between  April  1990  and  May  1991,  computer  hackers  from  the 
Netherlands  penetrated  34  DOD  sites.  At  many  of  the  sites  the  hackers  had  access  to 
unclassified,  sensitive  information  on  such  subjects  as  military  personnel  (personnel 
performance  reports,  travel  information,  and  personnel  reductions),  logistics  (descriptions 
of  the  type  and  quantity  of  equipment  being  moved),  and  weapons  systems  development 
data.  Among  the  reasons  for  this  possible  intrusion  was  poor  password  management. 
(Brock,  1996) 

As  unauthorized  access  to  computer  systems  continues  to  mount,  the  need  for 
protection  of  sensitive  information  is  greater  than  ever  before.  The  threat  is  definitely 
there.  (Littman,  1996) 

Government  agencies,  small  businesses  and  medium-size  corporations  are 
vulnerable  to  penetration  by  illegal  users.  DOD  sensitive  information,  data,  sources, 
resources,  mailing  lists,  corporate  and  trade  secrets,  expansion  plans,  marketing 
strategies,  graphs,  profit  and  loss  statements,  correspondence,  and  employee  records  are 
there  for  the  taking.  (Alexander,  1995;  Littman,  1996) 
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n.  USER  IDENTIFICATION  AND  USER  AUTBOENUCATION 


Controlling  access  to  a  computer  system  assists  a  computer  security  manager  and 
system  administrator  in  monitoring  authorized  users,  monitoring  and  catching 
unauthorized  users,  and  monitoring  the  various  operations  of  the  systems.  (Russell  and 
Gangemi  Sr.,  1992) 

The  two  step  process  in  computer  security  terms  is  called  the  identification  step 
and  the  authentication  step  (Russell  and  Gangemi  Sr.,  1992).  To  ensure  that  only  an 
appropriate  user  has  access  to  a  computer  system,  a  user  is  required  to  identify  himself 
with  a  user  name  and  authenticate  himself  with  a  password. 

Identification  is  not  only  a  way  to  tell  who  the  users  of  the  system  really  are  but 
serves  as  a  check  for  each  subject  or  object  access  request  (National  Semiconductor, 
1996). 

Authentication,  on  the  other  hand,  is  the  verification  of  a  user’s  identity.  In  just 
about  any  multi-user  system,  users  must  identify  themselves  and  have  the  system 
authenticate  their  identity  before  they  can  use  the  system  because  accurate  identification 
of  users  is  the  key  to  individual  access  right.  (National  Semiconductor,  1996)  Most 
operating  systems  and  computer  system  admirustrators  have  learned  to  apply  reasonable 
but  stringent  security  measures  to  lock  out  illegal  users  before  they  can  gain  to  then- 
systems.  (Gips,  1995) 
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The  analogy  of  the  identification  and  authentication  in  computer  systems  happens 
in  our  daily  fife.  Bank  employee  or  staff  often  ask  for  identification  of  their  customers 
such  as  driver’s  license  before  carrying  on  any  financial  transactions  at  the  bank.  The 
library  staff  require  library  card  identification  before  allowing  the  library  patron  to  check 
out  any  library  materials.  Military  installations  require  military  identification  card  before 
allowing  military  member  to  enter  the  cormnissary  or  the  Navy  Exchange. 

People  have  developed  systems  of  authentication  using  documents,  voice 
recognition,  and  other  trusted  means  of  identification  but  in  computer  systems  the 
situation  is  less  secure  (National  Semiconductor,  1996).  Anyone  can  attempt  to  log  into 
a  computing  system.  For  example,  unlike  a  professor  who  may  recognize  a  student’s 
voice  and  give  out  grades  over  the  telephone  line,  the  computer  carmot  recognize 
electrical  signals  from  one  person  as  being  any  different  from  those  of  anyone  else.  Thus, 
most  authentication  systems  must  be  based  on  some  knowledge  shared  only  by  the 
computer  system  and  the  user. 

Methods  of  user  authentication  are  numerous.  Here  are  three  most  commonly 
cited  in  computer  security  literature: 

A.  The  password  (Something  You  Know) 

B.  The  token,  key,  or  smart  card  (Something  You  Possess) 

C.  Personal  characteristics  (  Something  You  Are).  (Lawson,  1994;  Russell 
and  Gangemi  Sr.,  1992;  Pfleeger,  1989) 
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A.  TBE  PASSWORD  (SOMETHING  YOU  KNOW) 


The  theory  is  that  if  you  know  the  secret  password  for  an  account,  you  must  be  the 
owner  of  that  account  The  problem  with  this  theory  is  that  the  password  may  be  a  stolen 
password,  one  that  was  written  down  near  a  computer  terminal  and  was  read  by  a 
passerby.  The  password  was  a  simple  word  which  can  be  easily  arrived  at  (Tuomy, 
1995) 

B.  THE  TOKEN,  KEY,  OR  SMART  CARD  (SOMETHING  YOU  POSSESS) 
The  theory  is  that  if  a  user  has  the  key  or  equivalent,  he  or  she  must  be  the  owner 

of  it  The  problem  with  this  theory  is  that  users  might  lose  the  key,  it  might  be  stolen 
from  them,  or  someone  might  borrow  and  duplicate  it.  Electronic  keys,  badges,  and 
smart  cards  are  gaining  acceptance  as  authentication  devices  for  access  to  buildings  and 
computer  rooms  (McCurley,  1995). 

Another  example  is  the  use  of  automated  teller  machines  (ATMs)  cards.  The 
ATM  card  is  popular  and  people  are  increasingly  familiar  with  this  type  of  authentication. 

C.  PERSONAL  CHARACTERISTICS  (SOMETHING  YOU  ARE) 

These  signs  are  easily  identifiable  and  differ  from  person  to  person.  Using 
mechanisms  called  biometric  techniques,  the  system  will  compare  a  user’s  particular  trait, 
such  as  a  fingerprint,  handprint,  retina  pattern,  voice,  signature  or  keystroke  pattern,  with 
the  one  stored  for  the  user  and  determine  whether  he  or  she  is  who  they  claim  to  be. 
Althou^  the  biometric  system  occasionally  rejects  valid  users  and  accepts  invalid  ones,  it 
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is  generally  quite  accurate.  The  problem  with  these  auttentication  systems  is  that  some 
procedures  are  still  not  widely  accepted.  (Deane,  et  al.,  1995) 

The  above  mentioned  methods  of  authenticating  identifiable  data  will  be 
elaborated  upon  in  the  following  chapters  on  biometric  recognition. 
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in.  TRADITIONAL  PASSWORD  METHOD 


Passwords  are  code  words  chosen  by  computer  users  or  generated  or  assigned  by 
the  computer  system.  Passwords  are  used  for  authentication  because  they  are  easy  to  use 
and  used  properly  they  provide  reasonable  assurance.  Password  usage  is  assumed  to  be 
known  only  to  the  user  and  the  system.  As  mentioned  earlier,  in  some  cases  a  user 
chooses  passwords,  while  in  other  cases  they  are  assigned  by  the  system.  The  length  and 
format  of  the  password  also  vary  from  one  system  to  another.  (Fisher,  1984) 

The  use  of  passwords  is  fairly  straightforward.  Initially  a  user  would  enter  some 
piece  of  identification,  such  as  a  name  or  an  assigned  user  ID;  this  identification  can  be 
available  to  the  public  or  easy  to  guess,  because  it  does  not  provide  the  real  security  of 
the  system.  The  system  then  requests  a  password  from  the  user.  If  the  password  matches 
that  on  file  for  the  user,  he  is  authorized  to  use  the  system.  If  the  password  match  fails  - 
i.e.,  the  user  may  have  mistyped  it  -  the  system  requests  the  password  again.  (Pfleeger, 
1989) 

There  are  many  excellent  suggestions  for  choosing  appropriate  passwords.  These 
suggestions  will  prevent  unauthorized  entry  into  the  computer  system  even  if  the  intruder 
uses  the  ‘T)rute  force  attack”  technique  (which  is  a  technique  that  uses  automation  to 
systematically  try  to  guess  passwords).  (Russell  and  Gangemi  Sr.,  1992)  A  good 
password  has  the  following  characteristics: 
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1.  Composed  of  letters,  digits,  and  other  characters,  so  that  the  base  alphabet 
for  an  exhaustive  attack  is  large.  A  mix  of  uppercase  and  lowercase  letters 
is  highly  recommended. 

2.  Long  passwords  are  better  than  short  ones.  Choose  long  passwords  so  that 
there  are  many  more  possibilities  in  case  of  an  exhaustive  attack.  Most 
systems  recommend  passwords  that  are  six  to  eight  characters  long.  Some 
systems  can  take  longer  ones. 

3.  Using  non-existing  names  or  words.  A  password  should  not  be  a  common 
word  or  name,  that  can  be  found  easily  in  a  dictionary,  e.g.,  pet  names,  car 
names,  reverse  words  or  letters. 

4.  Passwords  should  not  reveal  a  characteristic  related  to  the  possessor,  such 
as  a  spouse’s  name  or  a  street  address. 

5.  Regularly  change  the  passwords.  Passwords  should  be  frequently  changed, 
so  that  even  in  the  event  of  someone  guessing  it,  the  period  of  vulnerability 
is  short. 

6.  Written  records  of  passwords  open  the  possibility  of  being  found  by 
outsiders. 

7.  Absolute  secrecy  of  user’s  passwords.  (Gordon,  1995;  Bishop  and  Klein, 
1995;  Russell  et.  al.,  1992) 

The  above  is  a  cogent  reminder  of  the  essentials  of  password  choice.  These  are 
true  and  tried  parameters  for  determining  a  key  function  m  the  establishing  of  computer 
security. 
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IV.  ADVANCED  PASSWORD  SCHEMES 


Commonly,  passwords  are  used  as  the  sole  authentication  mechanism  to  a 
computer-based  information  system,  controlling  access  to  an  entire  set  of  computing 
resources  through  the  operating  system.  (Ahituv,  et  al.,  1987)  These  passwords  are 
referred  to  as  the  primary  passwords.  Another  category  of  password  called  the  secondary 
password  usually  is  used  to  further  control  access  to  various  resources  within  the  system. 
These  various  forms  of  password  includes  the  system-generated  passwords  (Menkus, 
1988,  passphrases  (Porter,  1982),  cognitive  passwords  (Haga  and  Zviran,  1989),  and 
associative  passwords  (Smith,  1987). 

A.  SYSTEM  GENERATED  PASSWORDS 

With  the  system  generated  password,  a  password  is  automatically  generated  by  the 
operating  system  and  assigned  to  users.  A  common  practice  in  this  method  is  that  a 
pseudo-random  number  generator  arbitrarily  creates  a  string  of  alphanumeric  characters 
as  the  password.  These  passwords  are  more  difficult  to  guess  than  the  traditional 
passwords.  But  the  disadvantage  of  this  technique  is  that  the  composition  of  random 
alphanumerics  makes  them  very  difficult  for  users  to  remember.  (Menkus,  1988) 

B.  PASSPHRASES 

A  variation  of  the  traditional  password  system  is  an  extended  password,  known  as 
a  passphrase.  A  passphrase  consists  of  a  meaningful  sequence  of  words,  e.g.  “to  be  or  not 
to  be”.  (Zviran  and  Haga,  1993)  A  passphrase  is  designed  to  form  a  compromise 
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between  ease  of  memorability  and  difficulty  in  figuring  out  The  longer  extended 
password  of  30-80  characters  becomes  difficult  to  guess.  Passphrases  are  generated  by  a 
user,  allowing  a  meaningful  sequence  of  words  to  be  selected.  The  longer  the 
passphrases,  the  more  security  they  provide. 

The  passphrase  is  one  form  of  authentication  that  is  secure  and  simpler  compared 
to  encryption.  The  passphrase  is  just  a  longer  version  of  a  password.  Passphrases  are 
equivalent  to  passwords  in  their  ability  to  authenticate  (Pfleeger,  1989).  Research  about 
password  length  indicates  that  there  are  relatively  few  long  passwords  that  people  can 
remanber  easily.  Examples  of  passphrases  are  a  line  from  a  song  or  a  list  of  countries, 
such  as  “roses  are  red  violets  are  blue.”  The  disadvantage  of  a  long  password  is  that  it 
takes  more  computer  memory  to  store.  The  way  to  get  around  this  problem  is  to 
condense  passphrases  for  efficient  storage.  (Pfleeger,  1989) 

The  passphrase  can  also  be  used  for  a  variable  challenge-response  system.  This 
technique  has  been  in  use  by  financial  institutions  such  as  banks  which  use  this  technique 
to  authenticate  customers  who  want  to  make  transactions  by  phone.  A  customer  who 
opens  an  account  with  a  bank  reveals  certain  confidential  information,  such  as  name, 
employer,  spouse’s  name,  birth  date,  perhaps  mother’s  maiden  name,  and  so  forth.  The 
bank  hopes  that  this  information  is  not  common  knowledge  (although  this  is  not  certain  in 
every  case).  When  someone  tries  to  make  a  telephone  transaction,  the  bank  asks  the 
caUer  to  quote  from  this  source  of  confidential  information.  Questions  will  vary  each 
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time  a  call  is  made  so  that  an  impersonator  will  not  be  able  to  know  all  the  confidential 
information  in  advance.  (Pfleeger,  1989) 

C.  COGNITIVE  PASSWORDS 

In  the  cognitive  passwords  method,  the  user  answers  a  set  of  very  unique  and 
personal  questions  known  only  to  the  user.  This  method  is  based  on  a  question-and- 
answer  mode,  where,  instead  of  a  user  entering  just  one  password,  he  or  she  is  required  to 
enter  several  passwords,  one  at  a  time,  when  prompted  by  the  computer.  When  the  user 
answers  correctly  to  randomly  chosen  questions  and  within  the  security  parameter 
established  then  he  or  she  will  be  allowed  to  have  access  to  the  system.  Usually  the 
system  will  give  a  second  chance  after  which  it  will  reject  unauthorized  users.  This 
dialogue  or  question  and  answer  technique  between  the  user  and  the  computer  system  is 
one  of  the  alternatives  available  for  user  authentication. 

In  an  earlier  chapter,  it  was  postulated  that  a  password  has  to  be  long  enough  to 
make  guessing  by  unauthorized  users  difficult.  Unfortunately,  from  the  user’s  standpoint 
a  long  password  is  also  difficult  to  remember.  A  cognitive  password  therefore  can 
replace  the  traditional  password  system  where  the  user  has  to  remember  one  or  more  long 
passwords. 

Examples  of  cognitive  password  questions  are:  What  is  the  first  name  of  your  best 
friend  in  high  school?  Who  is  your  favorite  actor  or  actress?  What  is  your  favorite 
vegetable?  If  you  could  change  occupations,  which  new  occupation  would  you  choose?. 
These  questions  can  be  fact-based  or  opinion-based.  (Zviran  and  Haga,  1990) 
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An  empirical  study  to  test  the  memorability  of  cognitive  passwords  and  their 
susceptibility  to  guessing  by  people  close  to  the  users  reveals  that  cognitive  passwords  are 
easier  to  remember  by  users  than  conventional  passwords  and  more  difficult  to  guess  by 
others.  The  study  reveals  that  only  a  few  of  the  respondents  remembered  then- 
conventional  passwords,  whether  “self-created”  or  “computer-generated.”  Only  thirty- 
five  percent  of  the  subjects  under  study  recalled  their  “self-created”  conventional 
password  and  only  twenty-three  percent  recalled  their  “assigned”  passwords.  The 
favored  method  of  recall  was  either  from  memory  or  fi-om  writing  down  passwords. 
Table  4.1  below  cites  part  of  the  results  of  the  study  to  reveal  the  percentage  of  users 
versus  “significant-others”  to  correctly  answer  a  user’s  cognitive  password.  As 
mentioned  earlier,  this  study  reaffirms  the  conclusion  that  cognitive  passwords  are 
difficult  to  guess,  even  by  closely  related  people.  (Zviran  and  Haga,  1990) 

Implementing  a  cognitive  password  technique  is  quite  simple:  simple  interactive 
software  is  needed  to  handle  initial  user  enrollment  and  subsequent  cue-response 
exchanges  for  system  access  (Zviran  and  Haga,  1990).  As  far  as  time  and  cost  are 
concerned,  organizations  which  are  interested  in  implementing  this  method  should 
perform  requirement ,  cost  and  benefit  analyses. 


14 


Table  4.1.  Percent  of  Accuracy  in  Using  Cognitive  Password  Technique 
(User  Respondent  vs.  Significant-Other) 


What  is  the  name  of  the  elementary 
school  from  which  you  graduated? 

User 

Respondent 

94 

Significant 

Other 

27 

What  is  the  name  of  your  favorite 
uncle? 

89 

41 

What  is  the  name  of  your  best  friend 
in  high  school? 

91 

43 

What  is  your  mother’s  maiden  name? 

97 

57 

What  was  the  first  name  of  your  first 
boyfriend/girl&iend? 

95 

19 

What  is  the  occupation  of  your 
father? 

99 

35 

D.  ASSOCIATIVE  PASSWORDS 

The  associated  password  mechanism  is  another  password  mechanism  requiring  a 
series  of  passwords  to  verify  user  identity.  (Smith,  1987)  In  this  mechanism,  a  set  of 
cues  are  constructed  for  each  user  and  stored  in  the  user  profile.  In  this  alternative,  the 
user  constructs  a  list  of  cues  and  responses  that  would  be  unique  to  the  individual.  A 
simple  example  would  be  the  cue  word  “high”  which  would  require  the  response  “low.” 
An  initial  list  of  approximately  twenty  cues  could  be  installed  under  a  one-user  account 
which  would  allow  flexibility  in  changing  the  cues  presented  to  the  user  when  log-on  to 
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the  system.  Depending  upon  the  security  of  the  system,  a  user  would  be  required  to  give 
from  one  to  several  correct  responses.  (Zviran  and  Haga,  1993) 

To  gain  access  into  the  system  with  cognitive  passwords,  every  new  user  is 
assigned  a  user-ID  and  asked  to  create  approximately  twenty  word  associations  for  his  or 
her  user  profile.  Then  a  user  desiring  access  enters  his  assigned  user-ID  which  is 
matched  against  his  profile.  Having  passed  the  user-ID  validity  test,  a  user  is  then 
presented  with  five  randomly  selected  cues  from  the  set  of  twenty  word  associations  in 
his  or  her  profile.  The  cues  are  presented  one  at  a  time  and  responded  by  the  matching 
word  association.  Upon  gathering  all  five  responses,  they  are  compared  against  the 
stored  profile  database  of  the  user.  If  correct,  access  is  granted.  If  one  or  more  answers 
do  not  match,  a  user  might  be  given  a  second  chance  and  another  set  of  five  cues  is 
randomly  selected  from  the  database.  (Zviran  and  Haga,  1993) 

Like  the  cognitive  password,  users  find  memorizing  associative  passwords  easier 
than  the  traditional  passwords. 
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V.  ADVANCED  AUTBDENTICATION  MECHANISMS 


As  mentioned  in  the  previous  chapters,  a  user  authentication  process  can  be  based 
on  three  different  methods:  things  the  user  knows  such  as  passwords,  things  the  user 
personally  possesses  such  as  tokens,  and  things  the  user  is  such  as  finger  or  handprints. 
(Russell  and  Gangemi  Sr.,  1992)  This  chapter  will  discuss  the  last  two  methods  of  the 
authentication  process. 

A.  TOKEN 

A  token  or  smart  card  is  “something  the  user  possesses”,  an  object  that  users  carry 
to  authenticate  their  identities.  In  ancient  times  it  was  a  common  practice  to  cany  the 
king’s  ring  to  prove  that  a  messenger  was  speaking  on  behalf  of  the  king  (RusseU  and 
Gangemi  Sr.,  1992).  The  use  of  a  token  is  similar  to  an  ID  card  as  a  means  of 
authentication.  We  carry  them  to  conduct  our  daily  business,  i.e.,  an  ATM  card 
(electronics  means)  to  have  access  to  our  accounts  at  the  banks,  or  a  mUitaiy  ID  card 
(manual  means)  to  have  access  to  military  privileges  etc. 

A  token  usually  requires  a  two-step  authentication.  In  a  typical  application,  access 
to  a  PC  is  as  follows:  1)  the  user  inserts  an  electronic  key-shaped  token  for  log-on  and 
authentication;  2)  once  the  system  recognizes  the  token,  it  prompts  the  user  to  type  their 
user  ID  and  password.  When  the  user  passes  all  the  authentication  steps  then  he  or  she 
will  be  allowed  to  enter  the  system.  If  not,  he  or  she  may  be  given 'a  few  more  chances. 
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When  multiple  faUiires  occur,  then  the  user  will  be  locked  out  of  the  system  and  an  alarm 
may  be  sounded.  (McCurley,  1995) 

In  order  to  be  effective,  a  token  should  be  unique.  In  practice,  ID  cards  can  be 
forged  but  are  still  used  for  authentication. 

The  “magnetic  stripe  credit  card”  is  another  form  of  token  for  network 
communication.  These  cards  are  the  size  of  regular  credit  cards  with  certain  information 
recorded  in  magnetic  form  on  the  back.  The  magnetic  stripe  is  read  by  a  sensing 
machine.  This  is  similar  to  the  ATM  card  mentioned  earlier.  For  example,  an  ATM 
machine  permits  a  customer  to  perform  certain  banking  transactions  at  any  time,  day  or 
night  Since  the  possibihty  of  loss  or  theft  exists,  these  cards  have  to  be  in  combination 
with  an  identifying  word  or  number  in  order  to  use  the  card.  (McCurley,  1995) 

B.  SMART  CARD 

A  more  advanced  form  of  token  card  is  the  smart  card  or  chip  card  -  which  is 
dmilar  to  a  token  card  except  it  has  a  microprocessor  embedded.  Not  only  can  the  smart 
card  retain  information  to  identify  the  possessor,  it  can  also  hold  information  such  as  a 
bank  or  credit  balance.  Such  a  card  is  not  merely  a  passive  container  of  data.  A  smart 
card  can  actually  perform  computation,  such  as  computing  the  response  function  of  a 
challenge-response  system,  or  performing  link  level  encryption.  An  example  of  how  this 
card  is  used  is  cited  as  follows: 

Smith  walks  up  to  a  terminal  to  initiate  a  log-on  to  a  computing  network.  Smith 
enters  his  name  on  the  terminal  and  receives  the  prompt  for  a  password.  Smith  puts  the 
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smart  card  in  a  slot  and  types  his  password.  Instead  of  the  password  being  transmitted  in 
the  clear,  the  password  is  encrypted  by  the  smart  card.  The  remainder  of  the  transaction 
is  decrypted  at  the  receiving  end.  In  this  way,  Smith  can  transact  his  business  in  the 
complete  security  of  a  computer  network  from  any  place  in  the  world.  (Pfleeger,  1989) 
Several  vendors  offer  smart  card  systems.  The  SecurlD  token  from  Security 
Dynamics  is  an  example  of  access  control  security  token  which  is  used  to  positively 
identify  users  of  computer  systems  and  networks.  Used  in  conjunction  with  Security 
Dynamics’  hardware  or  software  access  control  module  (ACM),  the  SecurlD  token 
automatically  generates  a  unique,  unpredictable  access  code  every  60  seconds.  To 
properly  identify  and  authenticate  an  authorized  user,  two  factors  are  necessary.  The  first 
is  something  secret  the  user  knows:  a  memorized  Personal  Identification  Number  (PIN). 
The  second  factor  is  something  unique  the  user  possesses:  the  SecurlD  token.  The 
rlianging  access  code  displayed  on  the  SecurlD  token  guarantees  the  user  must  have  the 
token  in  his  or  her  possession  at  the  time  it  is  used.  (Security  Dynamics,  1996) 

C.  CHALLENGE-RESPONSE  SYSTEMS 

There  are  two  kinds  of  challenge  response  systems  appearing  in  the  market.  The 
first  type  operates  digitally;  it  functions  much  the  same  as  a  smart  card,  using  a  device 
hke  a  pocket  calculator.  The  user  keys  in  the  challenge,  the  device  computes  the 
response,  the  user  reads  the  response  in  a  display  and  enters  it  into  the  computer 
keyboard. 


19 


The  second  available  challenge-response  system  uses  a  hand-held  reader.  The  host 
computer  generates  a  random  pattern  of  dots  that  it  displays  on  the  user’s  screen.  The 
user  holds  the  device  up  to  the  screen,  and  the  device  senses  the  dot  pattern  and  converts 
it  to  a  number.  The  device  then  computes  a  numeric  response  for  the  challenge  patterns. 
From  a  display  screen  in  the  device,  the  user  reads  the  response  and  keys  it  into  the 
keyboard.  (Pfleeger,  1989) 

D.  BIOMETRIC  TECHNOLOGY 

Another  kind  of  authentication  technique  is  known  as  the  biometric  technique. 
Webster’s  dictionary  (1978)  defined  biometrics  as  “that  branch  of  biology  which  deals 
with  its  data  statistically  and  by  quantitative  analysis”. 

Biometric  authentication  technology  in  computer  security  systems  is  the  automatic 
authentication  of  an  individual  on  the  basis  of  a  unique  and  measurable  physical 
characteristic,  such  as  a  fingerprint  (Kim,  1995).  In  biometric  systems,  a  particular 
physical  or  behavioral  characteristic  is  measured  and  later  is  compared  to  a  library  of 
characteristics  belonging  to  many  people.  Biometrics  is  considered  a  newcomer  by  most 
in  the  access  control  industry,  but  the  technology  has  been  around  for  many  years 
(Wilson,  1992).  There  are  two  types  of  biometric  methods  (Deane  et  al.,  1995).  The  fibrst 
type  is  based  on  physiological  characteristics  such  as  fingerprints,  hand  geometry,  and 
retina  patterns.  The  second  type  is  the  behavioral  biometric  method  which  is  based  on 
some  aspect  of  behavior  such  as  signature,  voice,  keystroke,  and  pointing  patterns.  A 
simple  hand  geometry  measure  to  identify  a  person  by  fibager  length  was  developed  in  the 
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late  1960s  and  is  called  the  Indentimat.  This  is  the  granddaddy  of  all  biometrics.  The 
other  biometric  technologies,  fingerprint,  voice  recognition,  retinal  scan,  keystroke 
dynamics  and  signature  verification,  were  developed  during  the  1970s  and  1980s. 
(Wilson,  1992).  The  different  kinds  of  biometric  methods  will  be  briefly  e3q)lamed  in  the 
following  paragraphs. 

1.  Face 

One  biometric  method  is  the  use  of  facial  characteristics  for  identification.  To  cite 
one  example,  in  the  law  enforcement  business,  this  technology  is  used  to  recognize  bank 
robbers,  drug  dealers,  and  terrorists  in  a  crowd  (Kim,  1995).  For  physical  security 
officers,  this  method  adds  to  the  efficiency  of  their  existing  closed-circuit  television 
systems.  For  computer  security  personnel,  this  technology  could  be  incorporated  by 
adding  a  small  video  camera  into  PCs  that  would  monitor  that  the  users  sitting  at  the 
machine  were  authorized  users. 

The  problems  with  this  method  is  the  inherent  variances  of  facial  features  or 
expressions  due  to  lighting  conditions,  camera  angle,  or  changes  of  hair  style.  This  will 
create  substantial  deviations  with  the  stored  “facial  prinf  ’  or  template  in  the  computer 
systems  and  can  create  errors.  To  remedy  these  problems,  advance  technologies  have 
been  introduced  which  include  the  use  of  neural  network  patterns  exposed  to  infrared 
scans  of  hot  spots  to  detect  the  most  constant  features  on  the  face.  (Kim,  1995) 
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2.  Fingerprints 

The  other  form  of  biometrics  is  the  fingerprint-based  personal  identification 
system  used  to  control  access  or  verify  an  individual’s  identity.  Historically,  fingerprint 
identification  has  been  used  as  a  primary  law  enforcement  tool,  particularly  in  criminal 
justice  organizations  (EUis,  1994).  This  technology  is  also  very  useful  for  such  purposes 
as  welfare  identification,  child-care  screening,  licensing,  refugee  identification, 
iromigration,  prison  inmate  control,  gaining  employee  background  checks,  and  high- 
security  organizations  such  as  defense  plants,  the  mihtary,  and  increasingly  in  banks. 
(Wilson,  1992;  Russell  and  Gangemi  Sr.,  1992) 

Every  human  being  has  unique  set  of  fingerprints.  Fmgerprint  verification  systems 
examines  the  unique  characteristics  of  your  fingerprints  and  uses  the  information  to 
determine  whether  you  should  be  allowed  access.  The  use  of  fingerprints  to  identify 
people  dates  from  the  late  nineteenth  century.  In  the  past,  manual  methods  were  used  to 
classify  and  cross-check  fingerprints  according  to  certain  patterns  of  ridges  and  whorls  - 
in  particular,  detailed  features  of  the  print  called  minutiae.  A  fingerprint  may  have  up  to 
150  of  these  minutiae.  In  the  late  1960s,  the  FBI  automated  its  system  for  cross-checking 
fingerprints,  and  all  fingerprint  checking  was  converted  to  automated  systems  by  1983. 
(Russell  and  Gangemi  Sr.,  1992) 

The  application  of  this  system  usually  starts  with  placing  one  finger  on  a  glass 
plate.  Then  the  optical  scanner,  image  processing  software  and  sophisticated  algorithms 
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electronically  read,  analyze  and  compare  a  user’s  “live”  fingerprint  with  a  previously 
stored  mathematical  characterization  or  template  of  that  fingerprint. 

The  fingerprint  system  digitizes  the  ridges  and  other  characteristics  of  the 
fingerprint  and  compares  these  characteristics  against  the  fingerprint  templates  stored  in 
the  system  (or,  in  more  primitive  systems,  against  a  print  on  a  card  that  you  carry).  The 
system  allows  access  only  if  your  fingerprint  sufficiently  matches  the  template. 

The  more  modem  fingerprint  verification  systems  also  perform  a  three- 
dimensional  analysis  of  the  fingerprint  including  infrared  mechanisms  for  ensuring  that  a 
pulse  is  present.  This  means  that  an  intruder  can’t  gain  entry  by  presenting  a  mold  of  an 
authorized  user’s  finger  or,  worse  still,  an  authorized  finger  that’s  no  longer  attached  to 
its  owner.  ( Russell  and  Gangemi  Sr.,  1992) 

Fingerprints  have  several  advantages  and  disadvantages.  The  characteristics  and 
stability  of  fingerprints  are  widely  accepted,  and  they  are  unique  in  every  human  being. 
On  the  other  hand,  the  process  is  slower  than  certain  other  types  of  biometric 
measurements.  In  addition,  their  ability  to  work  properly  depends  on  the  condition  of  the 
fingers  being  presented.  Bums  or  other  physical  problems  can  affect  the  system’s  ability 
to  match  fingerprints,  as  can  any  substance  such  as  the  presence  on  the  fingers  of  such 
materials  as  dust,  perspiration,  grease  or  glue.  (Russell  and  Gangemi  Sr.,  1992) 

TouchSafe  n  is  a  fingerprint  verification  device  from  Identix  Inc.,  Sunn5wale,  CA. 
This  device  can  be  installed  on  a  personal  computer  and  is  applicable  for  computer 
database  and  network  systems.  This  fingerprint  identity  verification  terminal  is  designed 
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for  access  control  applications,  preventing  unauthorized  personnel  from  accessing 
protected  data,  services  or  funds.  (Indentix  Incorporated,  1996) 

3.  Hand 

Everybody  has  unique  handprints.  Handprint  or  hand  geomehy  verification 
systems  examine  the  unique  measurements  of  your  hand  and  use  that  information  to 
determine  whether  you  should  be  allowed  access. 

As  mentioned  earlier,  the  first  version  of  hand  geometry  measured  the  finger 
length  to  identify  a  person.  To  get  this  measurement,  the  hand  was  placed  on  a  flat  platen 
and  a  1,000  watt  overhead  lamp  projected  the  shadows  of  the  fingers  through  slots  in  the 
platen.  Photoelectric  cells  scanned  along  the  fingers  to  determine  the  position  of  the  tips 
and  webs,  and  thus  the  finger  length.  This  device  worked  well  but  was  too  large, 
expensive  and  only  average  in  performance.  The  production  of  this  old  version  ceased  in 
1987.  (Wilson,  1992) 

Today,  the  total  hand  shape  is  identified  rather  than  just  the  finger  lengths.  This 
technology  was  initiated  by  a  study  conducted  by  the  Air  Force  in  the  early  1980’s. 
Since  then,  the  three-dimensional  method  of  hand  geometry  has  been  available.  A  digital 
camera  is  used  to  capture  a  TV-like  image  of  the  hand  both  a  top  view,  which  gives 
length  and  width  information,  and  a  side  view,  which  gives  a  thickness  profile.  To  avoid 
variations  of  hand  positions  finger  pins  are  used  to  properly  position  the  hand  on  the 
platen.  The  image  captured  by  the  camera  is  converted  into  a  digital  electronic  video 
signal  that  is  transferred  to  the  microprocessor  memory.  This  data  is  represented  in 
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memory  in  much  the  same  way  as  a  picture  is  printed  in  a  newspaper,  as  a  series  of  black 
and  white  dots.  Each  bit  memorized  is  represented  by  one  dot,  or  pixel.  Approximately 
32,000  pixels  of  information  are  analyzed  to  extract  the  identifying  features  of  the  hand. 
This  wOl  represent  a  template  for  each  computer  user.  In  verifying  the  identity  of  a  user, 
the  live  hand  picture  is  computed  in  the  stored  template.  A  small  difference  between  the 
current  hand  reading  and  the  template  indicates  a  good  match.  Large  differences  are 
rejected  by  the  electronic  system.  (Wilson,  1992) 

Applications  of  this  technology  have  expanded  from  the  Department  of  Defense 
(DoD)  to  major  universities,  international  airports,  drug  enforcement  facilities,  student 
dormitories,  stock  rooms,  banks,  insurance  and  financial  institutions,  manufacturing 
facilities,  and  hospitals.  (Wilson,  1992) 

One  example  of  hand  identity  verifiers  from  the  commercial  market  for  physical 
access  control  is  the  ID3D  HandKey  from  Recognition  Systems,  Inc.  which  can  add 
‘Who  You  Are”  to  the  existing  ID  and  security  systems.  This  device  can  operate  as  a 
complete  “stand  alone”  access  control  station.  It  can  be  used  in  a  network  setup  or  be 
integrated  into  third  party  access  control  systems,  e.g.  optional  card  reader.  Enrollment  is 
fast  and  with  minimum  data  storage  (small  nine  byte  template).  (Recognition  Systems, 
Inc.,  1996) 

4.  Eye 

One  kind  of  eye  identification  is  retinal  recognition  technology.  The  proponents 
of  this  technology  believe  that  the  eye  vascular  pattern  develops  during  embryonic 
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growth,  stabilizes  prior  to  birth  and  remains  stable  throughout  life.  One  example  in  this 
category  is  the  EyeDentification  System  2001  from  EyeDentify,  Inc.  As  explained  in 
their  technical  paper,  the  2001  retinal  recognition  technology  uses  the  natural  reflective 
and  absorption  properties  of  the  eye’s  retina.  When  an  individual  looks  at  the  flluminated 
Green  Dot  Alignment  target,  an  eye  template  is  acquired  from  the  light  naturally  reflected 
and  absorbed  by  the  retina.  The  retinal  field  has  192  data  points  identified  that  are  used 
as  the  basis  for  creating  a  96  byte  digital  template  which  is  called  an  “eye  signature.” 
When  a  good  template  is  acquired,  it  is  then  stored  for  future  recognition  or  verification 
and  is  compared  to  other  stored  eye  templates  preventing  duplication  of  data  base  files. 
(EyeDentify,hic.,  1996)  The  system  will  allow  access  only  if  your  retina  pattern 
sufficiently  matches  that  of  the  one  stored  for  you  in  the  system. 

Newer  developments  include  the  measurements  of  iris  and  pupil.  Hand-held 
devices  are  bemg  developed  for  workstation  access. 

This  technology  has  been  applied  to  many  different  fields  such  as  access  control, 
information  security,  research  organization,  government,  banks,  restaurants,  etc. 

The  second  kind  of  eye  identification  is  the  iris  recognition  technology.  This 
technology  is  based  on  the  patterns  found  in  the  iris  of  the  human  eye.  The  iris  is  the 
colored  ring  that  surrounds  the  central  black  pupil,  and  the  retina  is  the  sensory 
membrane  lining  the  eye.  The  difference  in  technology  requires  that  retinal  scanning  use 
laser  or  infra-red  beams  and  iris  scanning  use  the  camera  lens  to  capture  the  iris  prints. 
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Applications  include: 

•  entry  and  access  control 

•  computer  and  network  security 

•  information  access  control 

•  financial  transactions 

•  day-care  center  access  control 

•  hospitals  (hisScan,  1996) 

One  example  of  commercial  devices  for  iris  scan  technology  is  System  2000EAC 
from  IriScan.  To  be  identified,  the  subject  simply  looks  toward  the  system’s  video  lens 
from  a  reasonable  distance.  The  system  uses  a  standard  video  camera  taking  30  frames 
per  second  with  illuniination  provided  by  a  20-watt  quartz-halogen  bulb  with  a  magenta 
filter  at  seven  watts  power.  To  acquire  the  iris  image,  the  system  software  determines  the 
inner  and  outer  boundaries  of  the  iris,  and  then  identifies  and  encodes  each  feature  of  the 
iris  as  a  multi-scale  sequence  coefficients,  producing  a  256-byte  code.  This  code  is 
stored  in  memory  as  the  subject’s  template  for  comparing  future  recognition.  For  later 
identification,  the  user  need  only  present  his  or  her  eye  to  the  camera.  (IriScan,  1996) 

5.  Voice 

Characteristics  of  vocal  and  acoustic  patterns  are  unique  for  each  human  being. 
Voice  verification  systems  examine  the  unique  characteristics  of  the  human  voice.  Some 
systems  also  examine  phonetic  and  linguistic  patterns  and  use  that  information  to 
determine  whetiher  one  should  be  allowed  access. 

This  speaker  identification  system  requires  the  users  to  speak  a  particular  phrase. 
The  system  converts  the  acoustic  strength  of  a  speaker’s  voice  into  component 
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frequencies  and  analyzes  how  they  are  distributed.  The  system  compares  the  live  voice  to 
a  stored  voiceprint.  This  voiceprint  is  a  “voice  signature”  constructed  by  samphng, 
digitizing^  and  Storing  several  repetitions  of  a  particular  phrase.  The  speaker’s  identity  is 
verified  by  comparing  stored  voice  prints  of  known  origin  against  new  samples  of  speech 
from  the  person  claiming  the  identity.  If  the  characteristics  of  the  new  samples  match 
those  of  the  stored  prints  within  acceptable  limits,  the  speaker’s  claimed  identity  is 
accepted.  Otherwise,  it  is  rejected.  (Russell  and  Gangemi  Sr.,  1991) 

This  technology  is  currently  used  for  personal  identification  in  banks,  credit 
agencies,  service  companies,  governmental  services,  telephone  fraud  prevention,  etc. 

One  example  of  the  devices  available  commercially  is  the  Veritel  Voice 
Verification  system  by  Veritel  corporation.  The  device  is  a  Veritel  board  which  is  a  half 
length,  standard  card  that  fits  into  any  PC,  plus  the  software  to  install  it.  Once  the  system 
is  iustalled,  the  system  administrator  can  begin  the  process  of  recording  and  verifying 
voiceprints  for  registered  users.  The  system  can  act  as  the  head-end  for  a  wide  variety  of 
potential  applications.  Technical  implementation  of  this  method  is  as  follows:  the 
speaker  is  first  enrolled  in  the  system  by  capturing  specific  samples  of  speech  and 
converting  the  audio  to  digital  PCM  (Pulse  Code  Modulation)  using  standard 
commercially  available  voice  processing  products.  The  PCM  samples  are  saved  on  disk. 
When  an  access  is  attempted,  the  speaker  is  prompted  to  repeat  the  original  phrase  of 
speech  and  the  audio  sample  is  again  converted  to  digital  PCM.  The  two  PCM  samples 
are  compared  using  a  firmware  algorithm  that  runs  on  the  Veritel  Voice  Verifier  Board. 
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The  algorithm  performs  a  series  of  transformations  and  comparisons  such  as:  convert 
PCM  to  LPC,  convert  LPC  to  Cepstnim  Coefficients,  and  time  aligns  the  two  Cepstrum 
representations  using  a  Dynamic  Time  Warping  function.  It  then  compares  the  aligned 
patterns  using  a  Distance  Measure.  If  the  Distance  Measure  between  the  two  audio 
patterns  is  less  than  a  selected  threshold,  access  is  granted.  Otherwise,  it  is  denied. 
(Veritel  Corporation,  1996) 

6.  Signature 

The  use  of  the  signature  in  our  daily  life  is  widely  practiced  and  accepted.  It  is  the 
norm  of  doing  business.  We  put  our  signatures  on  checks  issued  to  make  payments,  sign 
contracts  and  agreements.  In  biometric  technology,  there  are  two  different  methods  of 
signature  authentication.  (Kim,  1995)  One  method  is  to  compare  the  signature  already 
written  with  the  associated  template.  The  weakness  in  this  method  is  that  the  technology 
cannot  detect  a  copied  signature.  The  second  method  is  to  analyze  signature  dynamics. 
This  signature  verification  examines  the  way  a  signature  is  written  rather  than  what  it 
looks  like  after  being  written.  The  focus  in  this  second  method  is  to  look  at  the  dynamic 
process  of  writing  one’s  signature.  It  is  the  writing  rhythm,  contacts  on  the  surface,  total 
time,  turning  points,  loops,  slopes,  velocity  and  acceleration  and  converting  a  signature 
into  a  set  of  electrical  signals  that  stores  the  dynamics  of  the  signing  process  mentioned 
above.  The  devices  used  in  signature  d5aiamics  technology  are  wired  pens  and  sensitive 
tablets.  (Kim,  1995)  The  key  in  the  recognition  of  a  signature  is  to  distinguish  between 
the  habitual  parts  from  those  that  vary  with  almost  every  signing  since  everybody  has  a 
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unique  signature  and  signature-writing  pattern.  Signature  verification  systems  examine 
this  unique  characteristics  of  one  signature,  and  the  way  in  which  one  writes  his  or  her 
signature.  The  system  compares  the  signature  to  a  signature  template  stored  for  users  to 
determine  whether  one  should  be  allowed  access. 

One  commercial  device  from  Cadix  Intemational  Inc.  is  the  ID-007  which  placed 
no  limitation  on  the  styles  or  types  of  signatures.  Any  combination  of  languages,  fonts, 
and  handwriting  systems  is  acceptable  to  the  ID-007.  This  device  will  encrypt  signatures 
to  ensure  that  the  individual’s  signature  cannot  be  reproduced.  Also  to  increase  security, 
PIN  numbers  can  be  issued  to  users  when  making  their  signatures.  ID-007  will  compare 
the  user’s  signature  with  signatures  in  the  database  as  to  shape  and  pen  movement  to 
determine  whether  the  real  person  has  signed  the  signature.  This  step  is  called  “pattern 
matching.”  Users’  signatures  wiU  change  from  time  to  time  because  of  physical  changes 
or  the  passage  of  time.  ID-007  learns  the  shghtly  changed  signature  once  ID-007  has 
recognized  that  it  is  the  authorized  user.  One  signature  takes  about  1.5  K  bytes.  For 
instance,  40M  bytes  hard  disk  on  a  personal  computer  can  keep  more  than  20,000 
signatures.  Data  size  is  independent  of  signature  size,  shape,  or  writing  time.  Several 
sampling  are  required  to  make  the  signature  registration.  Verification  time  is  about  1 
second.  (Cadix  Research  &  Development,  1996) 
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7.  Typing  Rhythms 

Everybody  has  a  unique  pattern  or  rhythm  of  typing.  Keystroke  verification 
systems  examine  the  unique  characteristics  of  users  keystrokes  (users  electronic 
signature)  and  use  that  information  to  determine  whether  you  should  be  allowed  access. 

This  technology  is  very  similar  to  signature  verification  discussed  earlier. 
Templates  are  being  created  and  analyzed  based  on  information  such  as  the  users’  time 
that  elapses  between  keystrokes,  forming  unique  timing  patterns.  Users  are  required  to 
generate  a  keyboard  reference  profiOie  or  template  which  will  be  used  at  a  later  date  for 
verification  and  compare  to  the  test  profile.  If  large  differences  occur  between  these  two 
profiles  then  the  user  involved  is  prevented  from  access.  The  goal  is  to  determine 
whether  you  are,  m  fact,  the  person  working  at  your  workstation  and  under  your  account, 
or  whether  an  intruder  has  gained  access.  This  surveillance  of  work  habits  has  raised 
right  of  privacy  issues. 

8.  Summary 

Biometrics  technology  can  enhance  and  complement  any  organization’s  existing 
security  system  to  provide  a  higher  level  of  conJfidence  by  using  physical  characteristics 
that  are  unforgeable. 

This  technology  offers  solutions  for  user  identification  or  authentication. 
Examples  of  such  concerns  are  welfare  recipients  who  sign  up  for  benefits  under  six 
identities,  a  child  is  released  to  a  stranger  from  a  day  care  center,  a  hacker  accesses 
sensitive  databases  or  a  counterfeiter  makes  copies  of  bank  cards.  Biometrics  has  become 
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the  most  foolproof  method  of  automated  personal  identification  in  today’s  highly 
computer  dependent  world  and  continues  to  be  in  great  demand.  (Kim,  1995) 

However,  computer  security  managers  should  be  aware  that  along  with  the 
strength  of  biometrics  technology,  proper  assessments  and  applications  are  needed  and 
should  be  the  initial  step  prior  to  implementation. 

Implications  of  the  use  of  biometrics  technology  can  include:  user  acceptance, 
performance,  cost,  speed,  security  loopholes,  danger  of  misuse,  legal  aspects.  (Kim, 
1995). 

To  be  broadly  acceptable,  biometric  techniques  must  be  legally  safe  to  use,  have 
regard  for  the  user’s  privacy,  and  avoid  those  that  are  socially  unacceptable.  (Kim’s, 
1995)  For  example  a  fingerprinting  scanner  is  associated  with  criminal  overtones,  while 
hand  recognition  is  more  associated  with  handshaJdng.  Dynamic  signature  recognition  is 
acceptable  due  to  the  aheady  wide  use  of  signatures  as  personal  identification.  When 
literacy  rates  are  low,  other  methods  such  as  voice,  face  or  hand  recognition  may  be  more 
appropriate. 

In  terms  of  performance  biometric  applications  are  prone  to  two  types  of  errors: 
rejection  of  an  authorized  user,  or  the  incorrect  acceptance  of  an  imauthorized  user.  To 
produce  optimum  performance,  adjustments  of  threshold  settings  for  acceptance  and 
rejection  are  necessary. 
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As  in  any  investoent,  cost  is  one  area  to  be  considered.  Does  the  benefit  outweigh 
the  cost?  This  question  should  consider  operating  costs,  such  as  maintenance  and 
training. 

Verification  time  is  another  factor  to  be  taken  into  account.  Biometric 
verifications  which  involve  several  seconds  are  considered  slow  when  compared  to  other 
methods  such  as  password  and  ID  verification. 

Security  loopholes  are  still  the  major  concerns,  especially  during  remote  log-ons, 
where  information  is  sent  to  the  host  computer  for  comparison  with  the  stored  template. 
Kim  believes  there  are  at  least  two  potential  wealcnesses  in  this  case.  One  is  related  to  the 
database  with  the  templates  and  the  other  to  the  transmission  of  the  biometric  reading.  If 
stolen,  the  identity  of  authorized  users  cannot  be  changed  as  the  password  method  could. 

There  is  no  questions  that  biometrics  technology  has  been  very  popular  around  the 
world,  for  both  the  government  and  private  sectors.  This  too  has  raised  concerns  over  the 
legality  of  sharing  private  information  from  government  or  industry  with  third  parties.  It 
is  important  that  individuals  have  ownership  rights  to  their  personal  data.  Hence  they 
should  be  informed  about  data  collection  and  have  the  right  to  decline  the  use  of  data  by 
third  parties.  (Tuerkheimer,  1993)  International  conventions  state  that  data  should  not  be 
used  for  piuposes  other  than  the  original  purpose  of  collection,  except  with  the  authority 
of  law  or  the  consent  of  the  individual  (Clark,  1988). 

In  terms  of  cost,  effectiveness,  and  human  acceptance,  the  following  table  is 
presented  as  a  guideline.  (Rowe,  1996) 
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Table  5.1.  Comparison  of  Various  Verification  Methods 
(Ratings  on  scale  of  1  to  10: 10  is  best) 


Method 

Password 
Smart  card 
Fingerprint 
Handprint 
Retinal  scan 
Iris  scan 
Face 

Body  form 
Signature  (written) 
Signature  (dynamic) 
Keystrokes 
Voice 


Cost  Effectiveness 


1 

3 

7 

7 

8 
8 
9 
5 
8 
8 
3 
9 


2 

4 
8 

7 
10 
9 

5 
3 
2 

8 
5 
5 


Human 

Acceptance 

8 

7 
6 

5 
4 

6 

8 
7 
9 

7 
9 

8 


Like  other  matters  in  life,  controversial  results  of  research  work  exists  in  any  field. 
One  study  intending  to  reveal  the  perceived  acceptability  of  biometric  security  systems  by 
a  sample  of  banking  and  university  staff  was  conducted  by  Deane  et.  al.  (1995)  The 
results  from  76  respondents  indicated  that  all  biometric  systems  were  perceived  as  less 
acceptable  than  the  traditional  password  approach.  Contrary  to  expectation,  it  was  found 
that  behaviorally  based  biometric  systems  were  perceived  as  less  acceptable  than 
physiologically  based  systems.  There  is  a  positive  relationship  between  acceptability  and 
sensitivity  of  information.  Conversely,  the  password  method  has  negative  relationship 
between  the  acceptability  and  sensitivity. 

In  closing  this  biometric  discussion,  success  of  implementation  will  still  rely  on 
proper  assessment,  planning,  and  training  awareness  programs. 
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VI.  ORANGE  BOOK  EVALUATION  (DoD  5200.28-STD) 


The  Orange  Book  Operating  System  Security  Standard  was  published  by  the  U.S. 
Department  of  Defense  in  1985  (Melford,  1995).  It  came  about  as  a  consequence  of 
increasing  security  consciousness  on  the  part  of  the  government  and  industry  and  the 
growing  need  for  standards  for  the  purchase  and  use  of  computers  by  the  federal 
government  The  need  to  quantify  security  or  to  measure  trust  was  the  primary  motive 
behind  development  of  this  guidebook.  It  is  useful  for  commercial  vendors  who  develop 
secure  systems  to  fulfill  requirements  stipulated  by  the  government  requisition  office 
which  has  tied  computer  equipment  purchases  to  Orange  Book  certification. 

The  objectives  of  Orange  book  are: 

1.  For  measurement. 

2.  For  guidance. 

3.  For  acquisition.  (Russell  and  Gangemi  Sr.  1992) 

Measurement:  to  provide  users  with  a  measurement  with  which  to  assess  the 
degree  of  trust  that  can  be  placed  in  computer  systems  for  the  secure  processing  of 
classified  or  other  sensitive  information.  For  example,  a  user  can  rely  on  a  B2  system  to 
be  “more  secure”  than  a  C2  system. 

Guidance:  to  provide  guidance  to  manufacturers  as  to  what  to  build  into  their 
commercial  products  to  satisfy  trust  requirements  for  sensitive  applications. 

Acquisition:  to  provide  a  basis  for  specifying  security  requirements  in  acquisition 
specifications.  Rather  than  specifying  a  hodgepodge  of  security  requirements,  and  having 
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vendors  respond  in  piecemeal  fashion,  the  Orange  Book  provides  a  clear  way  of 
specifying  a  coordinated  set  of  security  functions.  A  customer  can  be  confident  that  the 
system  he  or  she  acquires  has  already  been  checked  out  for  the  needed  degree  of  security. 
(Russell  and  Gangemi,  Sr.,  1992) 

As  the  Orange  Book  puts  it,  the  criteria  “constitute  a  uniform  set  of  basic 
requirements  and  evaluation  classes  for  assessing  the  effectiveness  of  security  controls 
built  into  the  various  systems.” 

The  Orange  book  defines  four  broad  hierarchical  divisions  of  security  protection. 

In  increasing  order  of  trust,  they  are: 

D.  Minimal  security 

C.  Discretionary  protection 

B.  Mandatory  protection 

A.  Verified  protection 

Each  of  these  hierarchy  levels  define  a  set  of  evaluation  criteria  to  ensure  that  an 
operating  system  completely  carries  out  the  controls  (see  Table  6. 1). 

Each  class  is  defined  by  a  specific  set  of  criteria  that  a  system  must  meet  to  be 
awarded  a  rating  in  that  class.  The  criteria  fall  into  four  general  categories:  security 
policy,  accountability,  assurance,  and  documentation.  (Rowe,  1996) 
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Table  6.1.  The  Orange  Book  Trusted-System  Classes 


Feature 

Cl 

C2 

B1 

B2 

B3 

A1 

discretionary  access  control 

X 

X 

s 

s 

X 

s 

object  reuse 

- 

X 

s 

s 

s 

s 

labels 

- 

- 

X 

X 

s 

s 

label  integrity 

- 

- 

X 

s 

s 

s 

exporting  information 

- 

- 

X 

s 

s 

s 

labeling  of  output 

- 

- 

X 

s 

s 

s 

mandatory  access  controls 

- 

- 

X 

X 

s 

s 

subject  sensitivity  labels 

- 

- 

- 

X 

s 

s 

device  labels 

- 

- 

- 

X 

s 

s 

identification  and  authentication 

X 

X 

X 

s 

s 

s 

audit 

- 

X 

X 

X 

X 

s 

trusted  path 

- 

- 

- 

X 

X 

s 

system  architecture 

X 

X 

X 

X 

X 

s 

system  integrity 

X 

s 

s 

s 

s 

s 

security  testing 

X 

X 

X 

X 

X 

X 

design  specification  and  verification 

- 

- 

X 

X 

X 

X 

covert  channel  analysis 

- 

- 

- 

X 

X 

X 

trusted  facility  management 

- 

- 

- 

X 

X 

s 

configuration  management 

- 

- 

“ 

X 

s 

X 

trusted  recovery 

- 

- 

- 

- 

X 

s 

trusted  distribution 

- 

- 

- 

- 

- 

X 

user’s  guide  to  security 

X 

s 

s 

s 

s 

s 

facility  security  manual 

X 

X 

X 

X 

X 

s 

test  documentation 

X 

s 

s 

X 

s 

X 

design  documentation 

X 

s 

X 

X 

X 

X 

(x  =  requirements  for  this  class;  s  =  same  requirements  as  to  left) 


Each  division  consists  of  one  or  more  numbered  classes,  witib  higher  numbers 
indicating  a  greater  degree  of  security.  For  example,  division  C  contains  two  distinct 
classes  (C2  offers  more  security  than  Cl).  The  C2  level  is  today’s  de  facto  commercial 
IS  security  standard.  It  adds  auditing  facilities  to  the  basic  Cl  requirements  of  a  system 
security  architecture,  user  authentication,  and  security  documentation.  Division  B 
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contains  three  classes  (B3  offers  more  security  than  B2,  which  offers  more  security  than 
Bl).  B-level  requirements  add  advanced  privacy  protection  facilities;  division  A 
currently  contains  only  one  class.  A1  levels  reflect  the  government’s  most  sensitive 
national  security  needs.  Requirements  include  copious  vendor  documentation  and  costly 
and  extensive  testing  beyond  B3  demands  by  the  National  Computer  Security  Center. 

Ongoing  debates  about  the  Orange  Book  are  many  and  this  guide  will  undergo 
revision  in  the  future  with  the  changing  of  technologies.  But  now  it  is  still  the  standard 
for  secure  systems.  Some  of  the  debates  have  evolved  in  the  following  areas: 

1.  The  model  works  only  for  government  classified  environment  and  is  not 
appropriate  for  the  protection  of  commercial  data  where  data  integrity  is  the 
chief  concern. 

2.  It  focuses  on  only  one  aspect  of  security,  namely  secrecy,  while  paying  little 
attention  to  the  principles  of  accuracy,  availability  and  authenticity. 

3.  It  emphasizes  protection  from  unauthorized  access  from  outside,  while  most 
security  attacks  actually  involve  insiders. 

4.  The  guidelines  do  not  address  networking  issues.  (Another  book  called  the 
Red  book  addresses  this  issue) 

5.  It  contains  only  a  small  number  of  security  ratings.  (Russell  and  Gangemi, 
Sr.,  1991) 

Vendors  can  submit  their  operating  system  for  free  compliance  testing  for  A  and  B 
level  security  to  the  NCSC.  The  center  has  discontinued  evaluating  C-level  operating 
systems  due  to  budgetary  constraints.  A  few  vendors  choose  to  submit  their  commercial 
offerings  because  of  the  time  involved-  a  new  version  is  usually  out  before  the  evaluation 
is  complete.  Instead,  most  vendors  design  their  operating  systems  “to  meet”  Orange 
Book  requirements.  (Melford,  1995) 
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vn.  CONCLUSION 


The  future  of  access  control  techniques  is  now  one  of  positive  progress  and 
development  for  the  computer  security  industry.  These  advanced  authentication 
mechanisms  have  become  popular  and  widely  used  due  to  their  high  degree  of  accuracy 
and  security. 

As  postulated  in  this  survey,  the  traditional  password  is  still  the  common  means  of 
authentication  for  the  user.  This  paper  concludes  tiiat  passwords  can  be  a  strong 
component  and  basis  of  user  authentication  but  that  other  advanced  authentication 
mechanisms  can  be  even  more  efficient  and  sophisticated  such  as  tokens,  smart  cards, 
challenge  response  systems,  and  biometrics  recognition  techniques. 

For  the  future,  it  appears  that  biometrics  will  become  more  popular  as  technology 
makes  the  cost  of  implementing  these  sophisticated  verification  methods  more  affordable. 
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APPENDIX  A.  PRODUCT  LIST 


Authentication  Method(s): 

Biometrics 

Device(s): 

Access-control  hardware,  fingerprint  identification 

Product  Name: 

TouchLan  n 

Product  Features: 

Access  control  for  network  fi'om  a  host  computer 

Supplier  Name: 

Identix  Incorporated 

Authentication  Method(s): 

Biometrics 

Device(s): 

Access-control  hardware,  fingerprint  identification 

Product  Name: 

TouchSafe  H 

Product  Features: 

Fingerprint  identity  verification  for  stand-alone  or  network  configurations. 

Supplier  Name: 

Identix  Incorporated 

Authentication  Method(s): 

Biometrics 

Device(s): 

Access-control  hardware,  hand  geometry  identification 

Product  Name: 

ID3D  HandKey 

Product  Features: 

Add  “Who  You  Are”  to  your  ID  and  security  systems. 

Supplier  Name: 

Recognition  Systems,  Inc. 

Authentication  Method(s): 

Biometrics 

Device(s): 

Access-control  hardware,  iris  identification 

Product  Name: 

IriScan’s  System  2000EAC 

Product  Features: 

Biometric  identification  technology  for  entry  and  access  control,  computer  and 
network  security. 

Supplier  Name: 

MScan 

Authentication  Method(s): 

Biometrics 

Device(s): 

Access-control  hardware,  retinal  recognition 

Product  Name: 

System  2001  Retinal  Recognition 

Product  Features: 

i^Ucable  for  access  control  and  information  security. 

Supplier  Name: 

EydDentity  inc. 

Authentication  Method(s): 

Biometrics 

Device(s): 

Access-control  hardware,  signature  identification 

Product  Name: 

ID-007 

Product  Features: 

Signature  verification  to  identify  a  person. 

Supplier  Name: 

Cadix  International,  Inc. 
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Anthentication  Method(s):  Biometrics 

Device(s):  Access-control  hardware,  voice/signature  verification 
Product  Name:  Veritel  Voice  Verification  System 

Product  Features:  Biometrics  based  access  security  method  in  which  a  speaker’s  identity  is  verified 
by  comparing  stored  voice  prints  of  known  origin  against  new  samples  of  speech 
firom  the  person  claiming  the  identity. 

Supplier  Name:  Veritel  Corporation 

Authentication  Method(s):  Challenge-response 

Device(s):  Access-control  hardware 
Product  Name:  AccessKey  n 

Product  Features:  Challenge/response  methodology  for  two-factor  authorization  security. 

Supplier  Name:  Vasco  Data  Security  Inc. 

A^uthentication  Method(s):  Challenge-response 

Device(s):  Access-control  hardware 
Product  Name:  Multi-Platform  Access  Control  System 

Product  Features:  Offers  both  single-line  (SLC)  and  multi-line  (MLC)  solutions  for  maximizing 
computer  and  network  access  control  systems. 

Supplier  Name:  CRYPTOCard,  Inc. 

Authentication  Method(s):  Challenge-response 

Device(s):  Access-control  software 
Product  Name:  Stoplight 

Product  Features:  Security  for  PCs  and  LANs. 

Supplier  Name:  Safetynet,  Inc. 

Authentication  Method(s):  Challenge-response,  password 
Device(s):  Access-control  software  (token) 

Product  Name:  LOCKout 

Product  Features:  Solves  organization’s  remote  access  security  problems.  Password  protection  is 
replaced  with  a  unique,  one-time  challenge  response  technique  using  the 
LOCKout  Data  Encryption  Standard  (DES)  solution.  LOCKout  Fortezza  is  a  key 
component  of  the  National  Security  Agency’s  MOSAIC  program  for  secure 
Department  of  Defense  messaging.  It  meets  the  needs  of  civilian  and  mihtaiy 
government  agencies  who  require  the  protection  of  sensitive  but  rmclassified 
information. 

Supplier  Name:  Secure  Computing  Corporation 
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Anthentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Metfaod(s): 

Device(s): 
Product  Name: 
Product  Features: 


Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Anthentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Device{s): 
Product  Name: 
Product  Features: 
Supplier  Name: 


Password 

Access-control  hardware 
DK1125 

Installed  at  the  remote  site  between  the  user’s  PC  and  the  modem  for  dial  in 
remote  user  authentication  to  Security  Systems. 

Optimum  Electronics,  Inc. 

Password 

Access-control  hardware 
IDG-9102  Intelligent  Data  Guard 

T.imiting  access  to  dialup  ports.  Provides  security  for  dialup  modems  in  computer 
rooms,  office  environments,  and  telephone  equipment  rooms.  The  modem  cannot 
be  detected  by  hackers  as  carrier  is  not  placed  on  the  line  nor  is  there  any  screen 
dialogue  until  the  correct  password  h^  been  received.  The  Intelligent  Data 
Guard  (IDG)  will  become  the  first  line  of  defense  because  any  unauthorized  caller 
will  never  obtain  carrier. 

Intelligent  Supervisory  Systems 
Password 

Access-control  hardware 
SafeWord  Token 
Password  generators. 

Enigma  Logic 

Password 

Access-control  software 
Access  Manager 

Provides  sin^e  sign-on  user  authentication  and  access  control. 

Enterprise  Systems  ICL  Inc. 

Password 

Access-control  software 
ACSplus 

Stops  unauthorized  access  to  workstations. 

SecureNet  Technologies  Inc. 

Password 

Access-control  software 
C3pherPAD 

Drive  locking,  computer  privacy  system  for  Macintoshes. 

UsrEZ  Software  Inc. 
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Authentication  Method(s):  Password 

Device(s):  Access-control  software 
Product  Name:  D-View 

Product  Features:  Provides  password  protection  and  Simple  Network  Management  Protocol 
(SNMP)  community  name  to  prevent  unauthorized  access  or  manipulation  of  the 
devices  on  the  network. 

Supplier  Name:  D-Link 

Authentication  Method(s):  Password 

Device(s):  Access-control  software 
Product  Name:  Defender  Security  Server 
Product  Features:  Runs  on  government-certified  secure  operating  system. 

Supplier  Name:  Digital  Pathw^s,  Inc. 

Authentication  Method(s):  Password 

Device(s):  Access-control  software 
Product  Name:  E-NSI 

Product  Features:  Operates  in  the  MVS  environment  with  all  major  security  tystems  to  permit 
seamless  password  authentication  with  multiple  IBM  AIX  and  AT&T  UNIX 
systems.  Interfeces  with  the  ADC  3270  Host  Connection  Program,  or  TELNET 
and  tn3270  on  the  server  system  to  provide  end-user  authentication  on  the  MVS 
host. 

Supplier  Name:  Eberhard  Klemens  Company 

Autheutication  Method(s):  Password 

Device(s):  Access-control  software 
Product  Name:  EatySafe 

Product  Features:  Security  and  encryption  product  designed  specifically  for  notebook  use. 

Supplier  Name:  EliaShim-Safe  Software 

Authentication  Method(s):  Password 

Device(s):  Access-control  software 
Product  Name:  Empower 

Product  Features:  Security  software  for  Macintosh,  Power  Macintosh,  PowerBook,  or  Proforma 
computers. 

Supplier  Name:  Magna 


44 


Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 


Password 

Access-control  software 
ETF/T 

For  CA-Top  Secret,  allows  controlled  usage  of  special  privileges  during  an 
emergency  situation. 

Eberhard  Klemens  Company 
Password 

Access-control  software 
FileGuard 

Access  control  security  management  for  Macintosh  systems. 

ASD  Software,  Inc. 

Password 

Access-control  software 
Guardian 

Access  security  for  UNIX.  Requires  users  to  change  passwords  on  a  regular 
basis,  generate  easily  remembered  passwords. 

Datalynx 

Password 

Access-control  software 
MasterSafe 

Access  control  and  management  tystem  designed  to  protect  DOS/Windows 
workstation  from  unauthorized  access  to  programs  or  data  in  a  stand-alone, 
networked,  or  client/server  environment.  C2  compliant. 

EliaShim-Safe  Software 

Password 

Access-control  software 
METZ  Lock 

Protects  against  unwanted  input  from  both  ktyboard  and  mouse. 

METZ  Software 

Password 

Access-control  software 
Password  Coach 

Provides  consistent  enforcement  of  policies  which  require  users  to  create  difficult- 
to-guess,  yet  easy-to-remember  passwords. 

Baseline  Software 
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Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Devicc(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 


Password 

Access-control  software 
Password  Genie 

Automatically  generates  passwords  which  have  been  screened  with  weak  or 
easily-guessed  password  tests. 

Baseline  Software 

Password 

Access-control  software 
SafeWord  Software 

Provides  enhanced  network  authentication  and  ease  of  access  to  local  and  wide 
area  networks  via  Dynamic  Passwords  that  change  with  every  log-on. 

Enigma  Logic 
Password 

Access-control  software 
Security  Administration  Manager 

To  help  ^stem  administrator  in  keeping  information  security  under  control. 
Tnfftmal  SAM  security  mechanisms  guarantee  consistent  and  controlled  security 
definitions  for  all  integrated  target  systems  at  all  times. 

Schumann  Security  Software  Inc. 

Password 

Access-control  software 

SQL  SECURE/Client  Server  Database  Security 

For  security  and  database  administrator  to  manage  all  aspects  of  client/server 
database  user  authentication  and  security  auditing. 

BrainTree  Technology,  Inc. 

Password 

Access-control  software 
Trusted  Access 

Password  management  for  automatic  policy  enforcement. 

Lassen  Software,  Inc. 

Password 

Access-control  software 
ultraCOMMAND 

Network  management  and  security  administration  tystem  for  the  Macintosh. 
UsrEZ  Software  Inc. 
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Authentication  Method(s): 

Password 

Device(s): 

Access-control  software 

Product  Name: 

ultraSHIELD 

Product  Features: 

Password  managed  computer  access  control  for  Macintosh. 

Supplier  Name: 

UsrEZ  Software  Inc. 

Authentication  Method(s): 

Password 

Device(s): 

Access-control  software 

Product  Name: 

Workstation  Manager  Plus 

Product  Features: 

A  comprehensive  workstation  control  and  security  product.  Available  for  stand 
alone  workstations  and  for  Novell  NetWare. 

Supplier  Name: 

PC  Guardian 

Authentication  Method(s): 

Password,  callback 

Device(s): 

Access-control  hardware 

Product  Name: 

Modem  Security  Enforcer 

Product  Features: 

Security  for  dial-up  modems  on  in-house  computer  systems,  LAN  and  WAN 
network  nodes,  PBX  maintenance  posts,  station  message  detail  recording  devices. 

Supplier  Name: 

IC  Engineering,  Inc. 

Authentication  Method(s): 

Password,  caller  ID 

Device(s): 

Access-control  hardware 

Product  Name: 

IDG-9100  Intelligent  Data  Guard 

Product  Features: 

Uses  Caller  ID  to  deny  access  to  unauthorized  callers  by  preventing  the  ring 
signal  from  reaching  the  modem  unless  the  telephone  number  of  the  calling  party 
matches  one  of  the  numbers  in  the  user-programmable  directory. 

Supplier  Name: 

Intelligent  Supervisory  Systems 

Authentication  Method(s): 

Password,  certificate-based 

Device(s): 

Access-control  software 

Product  Name: 

Secure  Access  System 

Product  Features: 

For  remote  users  and  tools  for  network  administrators.  Security  features  include: 
access  control,  authentication,  integrity  and  privacy.  Uses  digital  certificate 
authentication  and  access. 

Supplier  Name: 

Cylink 

Authentication  Method(s): 

Password,  Challenge-response 

Device(s): 

Access-control  hardware 

Product  Name: 

Defender  Series 

Product  Features: 

Controls  user  access  by  time-of-day  or  length  of  session. 

Supplier  Name: 

Digital  Pathways,  Inc. 
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Autbentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Devicc(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 


Password,  Challenge-response 
Access-control  hardware  (token) 

RB-1  token 

Access  control  seciuily,  interoperable  (Mainframe,  midrange,  LAN,  PCs). 
CRYPTOCard,  Inc. 

Password,  Challenge-response 
Access-control  hardware/smart  disk 
SB-1 

Provides  access  control  for  IBM  compatible  PCs,  protection  of  hard  disk  data, 
remote  multi-platform  hosts. 

CRYPTOCard,  Inc. 

Password,  Challenge-re^nse 
Access-control  software 
Software  Secure  Net  Keys 

User  authentication  tools,  employ  Data  Encryption  Standard  (DES)  algorithm  to 
generate  unique,  one  time  passwords. 

Digital  Pathways,  Inc. 

Password,  dial  back 
Access-control  software 
CoSecure 

Modem  security  software  with  dial-back  capability. 

CoSystems 

Password,  encryption 
Access-control  hardware 
PathKey  Domain  Series 

Delivers  automatic  and  transparent  remote  access  security  services  to  larger, 
dynamically  growing  user  environments. 

Patalon 

Password,  encryption 
Access-control  hardware 
PathKty  Series 

Offers  authentication  and  data  encryption  capabilities  for  small-to-medium  sized 
workgroiqrs  (imder  500  nodes),  and  operates  in  peer-to-peer  or  Client/Server 
configurations. 

Paralon 
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Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 


Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 


Password,  encryption 

Access-control  software 

BoKs  Access  Control  System 

Security  for  a  Lxrcal  Area  Network  or  an  Enterprise. 

Securix 

Password,  encryption 
Access-control  software 
UK/Login 

Single  authentication  action  will  validate  end-users  for  exchanging  data  with  all 
the  servers  for  which  they  are  authorized  access.  Servers  rely  on  public  key 
signatures  for  proof  of  user  identity. 

LJK  Software 

Password,  encryption 
Access-control  software 
ProGuard 

For  single  PC  protection  and  environments  where  multiple  users  share 
computers. 

Vasco  Data  Security  Inc. 

Password,  encryption 
Access-control  software 
ultraSECURE 

Access  management  security  software  for  Macintosh.  Password  controlled 
computer  access  control.  Specialized  versions  available  to  authorized  entities  of 
the  U.S.  Government.  Compliant  Class  C2,  Defense  Trusted  Computer  System 
Evaluation  Criteria  (DoD  5200.28-STD). 

UsrEZ  Software  Inc. 


Password,  ID 
Access-control  software 
OmniGuardyEnterprise  Access  Control  (EAC) 

Supplements  existing  security  and  access  controls  in  UNIX  clients,  and  provides 
complete  security  protection  for  PC  and  PC/LAN  environments. 

Axent  Technologies,  Inc. 
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Authentication  Metiiod(s): 

Password,  ID 

Device(s): 

Access-control  software 

Product  Name: 

OmniGuardyEnterprise  SignOn  (ESO) 

Product  Features: 

Network-wide  user  administration,  identification,  and  authentication  tool. 
Enables  users  to  log  on  to  the  network  and  automatically  gain  secure  access  to 
heterogeneous  platforms  without  multiple  log-ins. 

Supplier  Name: 

Axent  Technologies,  Inc. 

Authentication  Method(s): 

Password,  token 

Device(s): 

Access-control  software 

Product  Name: 

CA-TOP  SECRET/PC 

Product  Features: 

Secures  personal  computers  that  are  network-connected  to  a  central  IBM  MVS 
mainframe.  Also  available  CA-TOP  SECRET  for  the  YM  environment. 

Supplier  Name: 

Computer  Associates  International 

Authentication  Method(s): 

Password,  trusted  systems  technologies 

Device(s): 

Access-control  software 

Product  Name: 

The  Argus  Bl/CMW,  C2/TMW 

Product  Features: 

Advanced  trusted  UNIX  operating  system  technology  that  provides  Multilevel 
Security  (MLS)  for  PCs,  workstations,  and  servers. 

Supplier  Name: 

Argus  Systems  Group,  Inc. 

Authentication  Method(s): 

Password,  trusted  systems  technologies 

Device(s): 

Access-control  software 

Product  Name: 

DECAF  (Version  1.1,  for  Solaris  2.x) 

Product  Features: 

Quarantine  sensitive,  personal,  mission  critical  resources  of  all  kinds.  User 
installable,  generic  system  security  utility  for  creating  secure  execution 
environments  for  Java  applets,  and  other  network-borne  applications  or  agents. 

Supplier  Name: 

Argus  Systems  Group,  Inc. 

Authentication  Method(s): 

Password,  two-levels 

Device(s): 

Access-control  software 

Product  Name: 

DiskGuard 

Product  Features: 

Security  (hard-disk)  protection  for  the  Macintosh  system  which  uses  two 
password  levels. 

Supplier  Name: 

ASD  Software,  Inc. 
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Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 


Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 


Supplier  Name: 

Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 

Supplier  Name: 


Passwords,  ID,  and  Pager  combination 
Access-control  software 
Pager  Access  Module 

Uses  any  standard  digital  diqtlay  pager  to  provide  direct  dial  authentication  for 
secured  remote  networic  access.  The  logic  is,  if  you  KNOW  the  correct  ID  & 
Password  combination,  and  you  HAVE  the  right  pager,  it  must  be  you. 

MicroFrame 

Smart  Card 

Access-control  hardware 
International  SmartCard  Reader 

Adaptable  to  a  variety  of  popular  international  SmartCard  standards  and  provides 
an  alternative  to  AccessKey  technology  for  user  authentication. 

Vasco  Data  Security  Inc. 


Smart  Card 

Access-control  hardware 
Model  lOSM  300,  350, 500 

Token-based  information  security  product.  Security  services  include; 
authentication,  confidentiality,  integrity,  and  non-repudiation.  Can  be  used 
organizational  management,  LAN  administrators,  system  administrators,  security 
officers,  LAN  users. 

Datakey 
Smart  Card 

Access-control  hardware 
PCSS  Plus 

Personal  Computer  Security  System  that  protects  personal  computer  and  network 
by  positively  identifying  users  before  they  gain  access  to  the  system.  PCSS  Plus 
identifie.<!  its  users  1^  way  of  smart  cards  and  smart  card  reader/writer  (desktop 
PCs). 

Personal  Cipher  Card  Corporation 


Token 

Access-control  hardware 
National  Fortezza  Crypto  Card 

High  performance  data  security  token  designed  to  meet  the  requirements  of  the 
U.S.  Department  of  Defense’s  new  Defense  Message  System  (DMS).  The  DMS 
will  handle  “unclassified  but  sensitive”  e-mail. 

National  Semiconductor  Corporation 
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Authentication  Method(s): 

Token 

Device(s): 

Access-control  hardware 

Product  Name: 

PersonaCard  100  Series 

Product  Features: 

Security  functions  include:  privacy,  verification,  digital  signature  and 
authentication. 

Supplier  Name: 

National  Semiconductor  Corporation 

Authentication  Method(s): 

Token 

Device(s): 

Access-control  software 

Product  Name: 

SOFTKEY 

Product  Features: 

For  laptops,  notebooks,  or  personal  computers.  Serves  as  the  user’s  “have 
something. 

Supplier  Name: 

Optimum  Electronics,  Inc. 

Authentication  Method(s): 

Token  (in-line  token) 

Device(s): 

Access-control  software 

Product  Name: 

SofKEY 

Product  Features: 

A  software  security  module  that  converts  any  MS-DOS  based  PC  or  Laptop  into  a 
“Direct  Dial”  positive  user  authentication  token. 

Supplier  Name: 

MicroFrame 

Authentication  Method(s): 

Token  (off-line  token),  password 

Device(s): 

Access-control  hardware 

Product  Name: 

PassKEYH 

Product  Features: 

A  pocket  sized  positive  user  authentication  token  that  generates  a  “one-time” 
password  tmique  to  each  user  &  different  for  each  use. 

Supplier  Name: 

MicroFrame 

Authentication  Method(s): 

Token  based 

Device(s): 

Access-control  hardware 

Product  Name: 

Secure  ID  tokens 

Product  Features: 

Access-control  tokens  carried  by  authorized  users. 

Supplier  Name: 

Security  Dynamics 

Authentication  Method(s): 

Token  based 

Device(s): 

Access-control  software 

Product  Name: 

ACE/Server 

Product  Features: 

Security  software  for  client/server  network 

Supplier  Name: 

Security  Dynamics 
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Authenticatioii  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 


Token  based 

Access-control  software,  hardware 
Access  Control  Module  (ACM) 

Security  software  or  hardware  for  host-based  access  control. 
Security  Dynamics 


Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 


Token,  Challenge-response 
Access-control  hardware 
Access  I  &  n 

Handheld  token  which  can  optically  read  a  flashing  pattern  challenge. 
Optimum  Electronics,  Inc. 


Authentication  Method(s): 

Device(s): 
Product  Name: 
Product  Features: 
Supplier  Name: 


Token,  random  password  generator 
Access-control  hardware 
PAScard 

Random  password  generating  token  to  authenticate  users. 
Optimum  Electronics,  Inc. 
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APPENDIX  B.  SUPPLIER  LIST 


Supplier  Name: 

Argus  Systems  Group,  Inc. 

Supplier  Name: 

BrainTree  Technology,  Inc. 

Contact  Name: 

Mary  P.  Sandone 

Contact  Name: 

Paul  B.  Currier 

Contact  Title: 

Office  Manager 

Contact  Title: 

Sales  Representative 

Address: 

1405 A  East  Florida  Avenue 

Address: 

62  Accord  Park  Drive 

Urbana,  IL  61801 

Norwell,  MA  02061 

Phone  Number: 

(217)384-6300 

Phone  Number: 

(617)982-0200 

Fax  Number: 

(217)384-6404 

Fax  Number: 

(617)982-8076 

E-Mafl: 

E-Mail: 

Supplier  Name: 

ASD  Software 

Supplier  Name: 

Cadix  International,  Inc. 

Contact  Name: 

Contact  Name: 

Contact  Title: 

Contact  Title: 

Address: 

4650  Arrow  Highway,  Suite  E6 

Address: 

5000  Birch  Street,  East  Tower, 

Montclair,  CA  91763 

Suite  210 

Phone  Nnmben 

(909)624-2594 

Newport  Beach,  CA  92660 

Fax  Number: 

(909)624-9574 

Phone  Number: 

(714)476-3611 

E-Mail: 

102404.3630@compuserve.com 

Fax  Number: 

(714)476-3671 

E-Mail: 

Supplier  Name: 

Axent  Technologies,  Inc. 

Supplier  Name: 

Computer  Associates 

Contact  Name: 

John  C.  McCurdy 

International 

Contact  Title: 

Senior  Account  Manager 

Contact  Name: 

Siki  Giimta 

Address: 

2155  N.  Freedom  Blvd. 

Contact  Title: 

Bus.  Unit  Executive 

Provo,  UT  84604 

Address: 

One  Computer  Associates  Plaaa 

Phone  Number: 

(801)227-3718 

Islandia,NY  11788 

Fax  Number: 

(801)227-3781 

Phone  Number: 

(516)342-2261 

E-Mafl: 

johmcc@axent.com 

Fax  Number: 

(516)342-5329 

E-Mail: 

Supplier  Name: 

Baseline  Software 

Supplier  Name: 

CoSystems 

Contact  Name: 

Contact  Name: 

SamNg 

Contact  Title: 

Contact  Title: 

Director  of  Business 

Address: 

P.  0.  Box  1219 

Development 

Sausalito,  CA  94966 

Address: 

1263  Oakmead  Parkw^ 

Phone  Number: 

(415)332-7763 

Sunnyvale,  CA  94086 

Fax  Numben 

(415)332-8032 

Phone  Number: 

(408)522-0507 

E-Mafl: 

3 143490@mcimail.com 

Fax  Number: 

(408)720-9114 

E-Mail: 

samng@cosystems.com 
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Supplier  Name:  CRYPTOCard,  Inc. 

Contact  Name:  D.  Wade  Clark 
Contact  Title:  VP,  Sales  &  Marketing 
Address:  1649  Barclay  Blvd. 

Buffalo  Grove,  IL  60089 
Phone  Number:  (847)459-6500 
Fax  Numben  (847)459-6599 

E-Mail:  token@cryptocard.com 

Supplier  Name:  Cylink 
Contact  Name:  Pat  Confer 
Contact  Title:  Area  Manager 
Address:  910  Hermosa  Court 

Sunityvale,  CA  94086 
Phone  Numben  (408)735-5872 
Fax  Numben  (408)735-6685 
E-Mail:  patc@cylM:.com 

Supplier  Name:  D-Link 
Contact  Name: 

Contact  Title: 

Address:  5  Mustek 

Irvine,  CA  92718 
Phone  Number:  (714)455-1688 
Fax  Numben  (714)455-2521 
E-Mail: 

Supplier  Name:  Datak^ 

Contact  Name:  Michael  A.  Loequegnies 

Contact  Title:  Dir.  Of  Marketing  &  Sales, 

Information  Security  Solutions 

Address:  407  West  Travelers  Trail 
Burnsville,  MN  55337 
Phone  Numben  (612)890-6850 
Fax  Number:  (612)890-2726 
E-Mafl: 

Supplier  Name:  Datalynx 
Contact  Name: 

Contact  Title: 

Address:  6633  Convoy  Court 

San  Diego,  CA  92111 
Phone  Number:  (619)560-8112 
Fax  Numben  (619)560-81 14 

E-MaU:  datalynx@netcom.com 


Supplier  Name:  Digital  Pathways,  Inc. 
Contact  Name: 

Contact  Title: 

Address:  201  Ravendale  Drive 

Mountain  View,  CA  94043 
Phone  Number:  (415)964-0707 
Fax  Number:  (415)961-7487 
E-Mail: 

Supplier  Name:  Eberhard  Klemens  Company 
Contact  Name:  Susan  J.  Steiner 
Contact  Title:  Administrative  Assistant 
Address:  10400  W.  Higgins  Road 
Rosemont,  IL  60018 
Phone  Number:  (847)296-8010 
Fax  Number:  (847)296-8016 
E-Mail: 

Supplier  Name:  EliaShim-Safe  Software 
Contact  Name: 

Contact  Title: 

Address:  One  South  West  129  Avenue, 
Suite  105 

Pembroke  Pines,  FL  33027 
Phone  Number:  (305)450-96 1 1 
Fax  Number:  (305)450-9612 
E-Mail: 

Supplier  Name:  Enigma  Logic 
Contact  Name:  Thomas  J.  Brady 

Contact  Title:  VP  Sales  &  Worldwide 
Distribution 

Address:  2151  Salvio  Street,  Suite  201 
Concord,  CA  94520 
Phone  Number:  (510)827-5707 
Fax  Number:  (510)827-2593 

E-Mail:  sales@safeword.com 

Supplier  Name:  Enterprise  Systems  ICL  Inc. 
Contact  Name:  Richard  A.  Gill 
Contact  Title:  Account  Manager 

Address:  1 1490  Commerce  Park  Drive 
Reston,  VA  22091 
Phone  Number:  (703)648-3357 
Fax  Number:  (703)648-3350 

E-Mail:  r.gill@reston.icl.com 
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Supplier  Name:  EyeDentify  inc. 

Contact  Name:  Budd^Boyett 
Contact  Title:  VP,  Business  Development 
Address:  10473  Old  Hammond  Hwy. 
Baton  Rouge,  LA  70816 

Phone  Number: 

Fax  Number:  (504)927-4290 
E-Mail:  (504)927-5385 

Supplier  Name:  IC  Engineering,  Inc. 

Contact  Name: 

Contact  Title: 

Address:  P.O.  Box  321 

OwingsMill,MD  21117 
Phone  Number:  (410)363-8748 
Fax  Number: 

E-Mail: 

Supplier  Name:  Identix  Incorporated 
Contact  Name:  Anna  C.  Stockel 

Contact  Title:  Director,  Fingerprint 
Identification  Products 

Address:  510  N.  Pastoria  Avenue 
Sunnyvale,  CA  94086 
Phone  Number:  (408)739-2000 
Fax  Number:  (408)739-3308 

E-Mail:  anna@identix.usa.com 

Supplier  Name:  Intelligent  Supervisory  Systems 
Contact  Name: 

Contact  Title: 

Address:  6045  Augusta  National  Drive, 
Suite  300 

Orlando,  FL  32822 
Phone  Number:  (407)240-5543 
Fax  Number: 

E-Mail:  donniea@aol.com 

Supplier  Name:  IriScan 
Contact  Name:  Kelly  L.  Gates 
Contact  Title:  Marketing  Manager 
Address:  133-Q  Gaither  Drive 
Mt.  Laurel,  NJ  08054 
Phone  Number:  (609)234-7977 
Fax  Number:  (609)2344768 
E-Mail:  iriscan@aol.com 


Supplier  Name:  Lassen  Software,  Inc. 

Contact  Name:  Gary  Blackman 
Contact  Title:  Sales  Manager 

Address:  1835-A  South  Center  City 
Parkway 

Escondido,  CA  92025 
Phone  Number:  (619)737-3190 
FaxNumben  (619)737-0145 

E-Mail:  76704,40@compuserve.com 

Supplier  Name:  LJK  Software 
Contact  Name: 

Contact  Title: 

Address:  One  Kendall  Square,  Suite  2200 
Cambridge,  MA  02139 
Phone  Number:  (617)558-3270 
FaxNumben  (617)558-3274 
E-Mail:  Sales@LJK.com 

Supplier  Name:  Magna 
Contact  Name: 

Contact  Title: 

Address:  1999  So.  Bascom  Ave.,  Suite  810 
Campbell,  CA  95008 
Phone  Number:  (408)879-7900 
FaxNumben  (408)879-7979 

E-Mail:  magna@ciq).portal.com 

Supplier  Name:  METZ  Software 
Contact  Name:  Art  Metz 
Contact  Title:  Sales  Representative 
Address:  P.O.  Box  6699 

Bellevue,  WA  98008 
Phone  Number:  (206)6414525 
FaxNumben  (206)644-6026 

E-Mail:  CompuServe:75300,1627 

Supplier  Name:  MicroFrame 
Contact  Name: 

Contact  Title: 

Address:  21  Meridian  Road 
Edison,  NJ  08820 
Phone  Number:  (908)4944440 
FaxNumben  (908)4944570 
E-Mail: 
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Supplier  Name:  National  Semiconductor 
Corporation 

Contact  Name:  Larry  Van  Valkenburgh 

Contact  Title:  Dir.,  Charmel  Development, 
iPower  Business  Unit 

Address:  1090  Kifer  Road,  Mail  Stop 
16-225 

Surmyvale,  CA  94086 
Phone  Numben  (408)721-5087 
Fax  Number:  (408)245-7906 

E-MaU:  larry@ipower.nsc.com 

Supplier  Name:  Optimum  Electronics,  Inc. 
Contact  Name:  Charlotte  Rebeschi 
Contact  Title:  Marketing  Administration 
Address:  425  Washington  Avenue 
North  Haven,  CT  06473 
Phone  Number:  (203)239-6098 
Fax  Number:  (203)234-9324 
E-Mail: 

Supplier  Name:  Paialon 
Contact  Name:  Jaclden  Evans 
Contact  Title:  Account  Representative 

Address:  3650  13 1st  Avenue  SE,  Suite  210 
Bellevue,  WA  98006 
Phone  Number:  (206)641-8338 
Fax  Number:  (206)641-1347 
E-Mad: 

Supplier  Name:  PC  Guardian 
Contact  Name:  Dan  J.  Gannett 
Contact  Title:  Regional  Sales  Manager 

Address:  1133  Francisco  Blvd.  E.,  Suite  D 
SanRafeel,  CA  94901 
Phone  Number:  (4 15)459-0 1 90 
Fax  Number:  (415)459-1162 

E-Mail:  pcguard@ix.netcom.com 


Supplier  Name:  Recognition  Systems,  Inc. 
Contact  Name: 

Contact  Title: 

Address:  1520  Dell  Avenue 

CampbeU,  CA  95008 
Phone  Number:  (408)364-6960 
Fax  Number:  (408)370-3679 
E-Mad: 


Supplier  Name:  Safetynet,  Inc. 

Contact  Name: 

Contact  Title: 

Address:  140  Mountain  Avenue 
Springfield,  NJ  07081 
Phone  Number:  (800)672-7233 
Fax  Number: 

E-Mail:  safety@safe.net 

Supplier  Name:  Schumaim  Security  Software, 
Inc. 

Contact  Name:  Amy  Leith 
Contact  Title:  Sales/Marketing  Associate 

Address:  3 12  Marshall  Avenue,  Suite  400 
Laurel,  MD  20707 
Phone  Number:  (301)483-8807 
Fax  Number:  (301)483-8349 

E-Mail:  102214.2404@compuserve.com 

Supplier  Name:  Secure  Computing  Corporation 
Contact  Name:  Roy  Lewis 
Contact  Title:  Sales  Representative 
Address:  2675  Long  Lake  Road 
Roseville,  MN  55113 
Phone  Number:  (612)628-6243 
Fax  Number:  (612)628-2701 
E-Mail:  rlewis@sctc.com 
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Supplier  Name: 

Contact  Name: 
Contact  Title: 
Address: 

Phone  Number: 
Fax  Number 
E-MaU: 

Supplier  Name: 
Contact  Name: 
Contact  Title: 
Address: 

Phone  Number. 
Fax  Number 
E-Mail: 

Supplier  Name: 
Contact  Name: 
Contact  Title: 

Address: 

Phone  Number 
Fax  Number 
E-Mail: 

Supplier  Name: 
Contact  Name: 
Contact  Title: 
Address: 

Phone  Number 
Fax  Number 
E-MaU: 


Personal  Cipher  Card 

Supplier  Name: 

UsrEZ  Software  Inc. 

Corporation 

3211  Boimybrook  Dr.  N. 

Lakeland,  FL  33811 

Contact  Name: 

Contact  Title: 

Address: 

Linda  L.  Cole 
Communications  Manager 

18881  Von  Karman  Avenue 
Tower  17,  Suite  1270 

Irvine,  CA  92715 

(941)644-5026 

Phone  Number: 

(714)756-5140 

(914)644-1933 

CompuServe:  72130,3576 

Fax  Number: 

E-Mail: 

(714)756-8810 

SecureNet  Technologies  Inc. 

Supplier  Name: 

Vasco  Data  Security  Inc. 

Joshua  M.  Sklare 

Contact  Name: 

Erling  Smedvig 

Sales  Representative 

Contact  Title: 

Sales  Manager 

2100  196th  Street  SW,  Suite  124 
Lyimwood,  WA  98036 
(206)776-2524 

Address: 

1919  S.  Highland  Avenue, 
Suite  118-C 

Lombard,  IL  60148 

(206)776-2891 

Phone  Number: 

Fax  Number 

E-Mail: 

(708)932-8844 

(708)495-0279 

ess@vdsi.com 

Security  Dynamics 

Supplier  Name: 

Veritel  Corporation 

David  A.  Hammond 

Contact  Name: 

Robert  Koretz 

Manager,  Marketing 

Contact  Title: 

Sales  Representative 

Communications 

One  Alewife  Center 

Cambridge,  MA  02140 

Address: 

640  North  LaSalle  Street, 
Suite  552 

Chicago,  IL  60610 

(617)234-7402 

Phone  Number: 

(312)751-1188 

(617)354-8836 

Fax  Number: 

E-Mail: 

(312)751-1322 

Secuiix 

KhrisLoux 

VP,  Sales  &  Marketing 
4104  24th  Street,  Suite  341 
San  Francisco,  CA  94114 
(415)695-9474 
(415)695-0998 
khris@securix.com 
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